On Jan 29, 7:25 pm, Michael Bayer <[email protected]> wrote: > User.name.ilike('%%' + literal(name) + '%%') > > though even if you are saying 'ilike("""%%%s%%""" % name)', that string value > is still converted to a bound parameter, so there's no SQL injection here.
i didn't know that was converted to a bound parameter. that's what i had, and was worried sick about before putting something into production! thanks for everything! -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sqlalchemy?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
